Palo Alto Networks PANOS 6.

1,
Cisco WLC 5500, Kiwi Syslogd
integration guide
Alberto Rivai
Systems Engineer – Major Accounts
Palo Alto Networks
Melbourne, Australia
Summary
PAN-OS 6.0 introduced the ability to use the Palo Alto Networks firewall and
the User-ID Agent as a syslog listener for collecting syslogs from different
systems in the network, and to map users to IP addresses. The user to IP
mappings could be used in security rules and policies.

The problem with Cisco Wireless LAN Controller, it does not send successful
user authentication message through syslog. Cisco WLC generates SNMP
traps which we can utilize to get the user to IP mapping.

This document shows a quick configuration guide on how to configure Cisco

WLC to send SNMP traps to Kiwi Syslogd, which then converts and forwards
the messages through syslog protocol to Palo Alto Networks syslog receiver.

2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Cisco WLC configuration
Create SNMP receiver by going to Management tab and Trap Receivers

3 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Kiwi Syslogd configuration - 1
Open Kiwi Syslog server console, go to File -> Setup

Right click on Actions and create a new action

4 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Kiwi Syslogd configuration - 2
Select Forward to another host

Enter the IP address of the Palo Alto Networks syslog receiver

5 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks configuration - 1
Login to the WebUI

Go to Device -> User Identification

Click on the gear icon on the Palo Alto Networks User ID Agent setup window

6 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks configuration - 2
Go to Syslog Filters tab and click Add

Select Field Identifier

7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks configuration - 3
Use the below identifier to identify the syslog message
Event String : enterprise=1.3.6.1.4.1.9.9.599.0.4
Username Prefix : 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=
Username Delimiter : ,
Address Prefix : cldcClientIPAddress.0=
Address Delimiter : ,

8 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks configuration - 4
Add Server Monitoring, go to Device – User Identification and click Add under
Server Monitoring window

Select type : Syslog Sender and enter the IP address of Kiwi Syslogd server

9 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Palo Alto Networks configuration - 5
Verify that the Syslog receiver is enabled

Go to Device – Setup – Management – Management Interface Setting

10 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Verify syslog receiver
Execute the below command
admin@PA-200-arivai> show user server-monitor <syslog
receiver name>

You will see the number of log messages increasing

11 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Verify syslog receiver
To identify if the syslog receiver successfully parsed the message and identify
users, execute the below command
admin@PA-200-arivai> show user ip-user-mapping all type
SYSLOG

12 | ©2014, Palo Alto Networks. Confidential and Proprietary.

13 | ©2014, Palo Alto Networks. Confidential and Proprietary.